Cymulate’s August 2022 Cyberattacks Wrap-up

Threat actors didn’t take a vacation this summer. On the contrary, they stepped up their game with new types of malware, RATs, and campaigns. 

Dark Clouds Ahead

Let’s start with CloudMensis. This previously unknown macOS backdoor is multi-staged malware containing a downloader for infecting macOS systems with its spyware component. Once installed, it spied on the compromised Mac users while capturing and exfiltrating sensitive information such as keystrokes, screen captures, and documents. For its C&C, the threat actors used public cloud storage services. To bypass the TCC daemon on macOS Catalina (<= 10.15.5), CloudMensis exploited the CVE-2020-9934 vulnerability. 

Unbearable APTs

Also, during August, the Russian-based Advanced Persistent Threat Group APT29, aka Cozy Bear, Cloaked Ursa, and Nobelium, targeted governmental entities in several countries with spear-phishing campaigns. The phishing documents contained a link to a malicious HTML file, which served as a dropper for additional malicious files (including a Cobalt Strike payload) in the target network. The group duped recipients of the fraudulent emails into downloading an agenda for an upcoming meeting with an ambassador. To avoid detection, APT29 used legitimate and popular online storage services (including Dropbox and Google Drive) for their operations, as well as the EnvyScout dropper and the Cobalt Strike Beacon.  

Vishful Thinking

Threat actors are becoming more sophisticated, using a variety of techniques to bypass multi-factor authentication (MFA).  

A recent example is the Cisco breach, where they obtained initial access by compromising the personal Google account of a Cisco employee. To enable synchronization with its Google account, the user had enabled password syncing via Google Chrome and stored its Cisco credentials in the browser. The threat actors also used methods of phishing other than an email, including vishing  [Voice phishing (vishing) is gaining traction as a social engineering technique to trick employees into divulging sensitive information over the phone.] the next step was to use administrative privileges to log into multiple systems. The threat actors also dropped remote access tools, including LogMeIn and TeamViewer, which are widely used tools by IT, as well as offensive security tools Cobalt Strike, PowerSploit, Mimikatz, and Impacket. They also added their own backdoor accounts and persistence mechanisms. 

CERT Alert

On another US-CERT alert, the Zeppelin cyber threat group, known for its highly strategic, carefully executed ransomware attacks using its Zeppelin ransomware, was active again. Its known targets include commercial enterprises, critical infrastructure operators, defense contractors, educational institutions, manufacturers, and technology companies. The Zeppelin ransomware can be deployed as a .dll or .exe file or contained within a PowerShell loader. Ransom payments are demanded in cryptocurrencies in the amount of over a million US dollars. 

The attacks typically follow this pattern: 

1. The Zeppelin group first conducts reconnaissance by mapping or enumerating the targeted network to identify data enclaves, including cloud storage and network backups. 
2. The targeted network is accessed via RDP or SonicWall firewall vulnerability exploitation using phishing campaigns.  
3. Once the ransomware is executed, sensitive data files are exfiltrated to sell or publish if the victim refuses to pay the ransom amount. 
4. The files are encrypted, and a randomized nine-digit hexadecimal number is appended to each encrypted file as a file extension. 
5. A note file with a ransom note is left on compromised systems. 

 Strike 3 You’re Out

In August, we also saw nation-state threat actors adopting and integrating the Sliver command-and-control (C2) framework as a replacement for Cobalt Strike. Sliver is an open-source C2 platform that supports user-developed extensions, custom implant generation, and other commandeering options. Apart from enabling long-term access to infected hosts, it has also been used to deliver payloads primarily intended to retrieve and launch a fully-featured backdoor on compromised systems.

Apart from Sliver, suspected Russian state-sponsored threat actors have also used Brute Ratel, legitimate adversarial attack simulation software, to avoid detection. 

BoRAT

In a frightening turn of events, a new and unique RAT was detected, which poses a triple threat. Dubbed Borat RAT, it provides a dashboard for malicious hackers to perform RAT malware activities and the ability to compile the malware binary for DDoS and ransomware attacks on the victim’s machine. It delivers a ransomware payload to encrypt files on compromised machines and demand a ransom. It even includes a keylogger executable file to monitor keystrokes on the victims’ computers and save them in a .txt file for exfiltration. Other functionalities include the ability to steal credentials from browsers, and Discord tokens, introduce malicious code into legitimate processes, and check if the system has a connected microphone and /or camera and, if so, record from the computer. 

Sloppy Clop Work

We will end on a lighter note. The prolific Russian-speaking gang Clop, known for extorting industrial organizations, boasted on its website that it had compromised water utility Thames Water and stolen 5TB of data. Since Thames Water refused to pay after negotiations, some of the stolen documents were posted, including passport and driver’s license scans and software user interfaces. Clop also claimed that it gained access to the company’s network for months due to the holes in its systems.

The problem?

Clop did not attack Thames Water but South Staffordshire, a water utility located in the Midlands.  

 ————–

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI! 

Stay cyber-safe!